Skip to content

feat(policies): load and evaluate remote policies on attestation operations #1220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiparis merged 3 commits into from
Aug 14, 2024
Merged

feat(policies): load and evaluate remote policies on attestation operations #1220

jiparis merged 3 commits into from
Aug 14, 2024

Conversation

@jiparis
Copy link
Member

@jiparis jiparis commented Aug 13, 2024
edited
Loading

This is the closing PR for #1180

This change adds the capability to load policies from remote providers, by using the chainloop://[provider-name/]policy-name syntax in the ref field in contracts.

Note that for the feature to fully work, at least one provider must be configured in the control plane deployment. If no provider is set in the ref field, the default provider will be tried.
Previously, only policies coming from local filesystem and public HTTPS were supported.

Note that I've removed policy validations during contract craft operations, since they might not be present during contract creation.

Example execution:

> chainloop wf contract update --name embedded --contract test/my-contract.yaml
WRN API contacted in insecure mode
WRN Both user credentials and $CHAINLOOP_TOKEN set. Ignoring $CHAINLOOP_TOKEN.
INF Contract updated!
┌────────────────────────────────────────────┐
│ Contract                                   │
├──────────────────────┬─────────────────────┤
│ Name                 │ embedded            │
├──────────────────────┼─────────────────────┤
│ Description          │                     │
├──────────────────────┼─────────────────────┤
│ Associated Workflows │                     │
├──────────────────────┼─────────────────────┤
│ Revision number      │ 30                  │
├──────────────────────┼─────────────────────┤
│ Revision Created At  │ 13 Aug 24 23:11 UTC │
└──────────────────────┴─────────────────────┘
┌────────────────────────────────────────────────────┐
│ {                                                  │
│   "schemaVersion": "v1",                           │
│   "policies": {                                    │
│     "materials": [                                 │
│       {                                            │
│         "ref": "chainloop://cyclonedx-banned-agpl" │
│       }                                            │
│     ],                                             │
│     "attestation": [                               │
│       {                                            │
│         "ref": "chainloop://sbom-present"          │
│       }                                            │
│     ]                                              │
│   }                                                │
│ }                                                  │
└────────────────────────────────────────────────────┘

✗ chainloop att init --name policytest --replace
WRN API contacted in insecure mode
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────┬──────────────────────────────────────┐
│ Initialized At    │ 13 Aug 24 23:11 UTC                  │
├───────────────────┼──────────────────────────────────────┤
│ Attestation ID    │ 4967926c-b527-4a91-98ae-e868ff06f31b │
│ Name              │ policytest                           │
│ Team              │                                      │
│ Project           │ myproject                            │
│ Contract Revision │ 30                                   │
└───────────────────┴──────────────────────────────────────┘

✗ chainloop att push
WRN API contacted in insecure mode
INF evaluating policy 'sbom-present' on attestation
WRN found policy violations (sbom-present) for statement
WRN  - missing SBOM material
INF push completed
┌───────────────────┬──────────────────────────────────────┐
│ Initialized At    │ 13 Aug 24 23:27 UTC                  │
├───────────────────┼──────────────────────────────────────┤
│ Attestation ID    │ 31604952-2a73-4309-bc0d-30690c841e28 │
│ Name              │ policytest                           │
│ Team              │                                      │
│ Project           │ myproject                            │
│ Contract Revision │ 30                                   │
└───────────────────┴──────────────────────────────────────┘

jiparis added 2 commits August 14, 2024 01:37
@jiparis
load and evaluate remote policies on attestation operations
207cb44 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add cache
bf3987e 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
migmartri
migmartri approved these changes Aug 14, 2024
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

migmartri
migmartri reviewed Aug 14, 2024
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my only comment is that we might not be ready to make the switch to default provider since if we merge this, it would mean that all the policies that we have today up there will behave like remote providers when they were supposed to be files?

What if we do this in two steps

1 - we require passing a protocol and no protocol still means file
2 - we rewrite our examples, policies and so on to include file://
3 - we replace what no protocol means

wdyt?

@jiparis jiparis requested a review from javirln August 14, 2024 07:53
@jiparis
put lock in struct
ac87c0e 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
Copy link
Member Author

jiparis commented Aug 14, 2024

my only comment is that we might not be ready to make the switch to default provider since if we merge this, it would mean that all the policies that we have today up there will behave like remote providers when they were supposed to be files?

What if we do this in two steps

1 - we require passing a protocol and no protocol still means file 2 - we rewrite our examples, policies and so on to include file:// 3 - we replace what no protocol means

wdyt?

By default it will behave as before. This is the sequence:

  1. check for embedded policy. If it exists, just use it.
  2. check for chainloop:// protocol in ref. If it exists, it uses the remote loader
  3. otherwise, it uses the default behaviour for ref, interpreting https://, env:// protocols, and defaulting to filesystem if no protocol is found.

@jiparis jiparis merged commit d5a5d0c into chainloop-dev:main Aug 14, 2024
@jiparis jiparis deleted the 1180-cli branch August 14, 2024 09:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

@javirln javirln Awaiting requested review from javirln

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jiparis @migmartri